Lieberman Cybersecurity Bill Would Give DHS Broad Emergency Powers Over the InternetJune 14, 2010 - by Donny Shaw
Senate Democrats began their cybersecurity efforts this session of Congress with a bill from Sen. John Rockefeller [D, WV], S.773, that would have given the President unilateral authority to “limit or shutdown” traffic to any part of the internet he deems “critical” in an emergency situation. That didn’t fly with anyone.
Next came a major amendment to the bill from Rockefeller and Sen. Olympia Snowe [R, ME] as it went through the Commerce, Science and Transportation Committee. The amendment would require the President to develop an emergency “response and restoration” plan in coordination with private companies that could be implemented in the case of a presidentially-declared cybersecurity emergency. The revision did not explicitly grant the President “shutdown” powers (though it also did not explicitly prohibit them) and it added a few safeguards and oversight measures. But, alas, it seems to have stalled over civil liberties concerns as well.
Now, Sen. Joe Lieberman [I, CT] is stepping onto the cybersecurity legislation scene with his fresh, new Protecting Cyberspace as a National Asset Act of 2010. He just introduced it on June 10 and it’s already scheduled for its first hearing in Lieberman’s Homeland Security Committee, tomorrow.
So, how does it do on protecting civil liberties and an open internet during cybersecurity emergencies?
The bill directs the director of the new National Center for Cybersecurity and Communications, which would be housed in the Department of Homeland Security, to establish a process by which the owners and operators of “critical infrastructure” can develop their own “response plans for a national cybersecurity emergency.” This follows the general direction of the bill, which puts more control in the hands of the companies that own private internet infrastructure, and less in the hands of government officials. There is very little in the bill describing what these emergency response plans should be, nor is there much in the bill describing the process the Director should be setting up for facilitating the plans.
But here’s the catch. Under Sec. 249, “National Cyber Emergencies,” if the President issues a declaration of national cyber emergency, all affected critical infrastructure will be required to implement their response plans, but the new DHS Cybersecurity Director will also be given broad power to “develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure.” Owners and operators of critical infrastructure would be required to “immediately comply” with whatever emergency measures or actions the NCCC deems necessary.
Cyber attacks typically constitute attempts to interrupt reliable operation of critical infrastructure, so these emergency measures to preserve reliable operation may well require limiting or shutting down access to certain areas. There are absolutely no guidelines in the bill restricting such measures or preventing them from being, basically, kill switches, though the bill does state that they must “represent the least disruptive means feasible.”
All emergency measures and cyber emergency designations expire automatically after 30 days under the bill, but the NCCC Director or the President can extend the emergency designation indefinitely in 30-day intervals if they certify in writing that a threat still exists.
The text of the bill is not yet readable online, but you can download a 197-page PDF of it here. According to Tech Daily Dose, after tomorrow’s hearing, this bill could move fast. “The Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the bill on Tuesday and Lieberman said he aims to markup the legislation the following week. He added that Majority Leader Harry Reid, D-Nev., has indicated he wants to move cybersecurity legislation this year.”